As confusion ensued after the Equifax data breach affecting up to 143 million consumers, what remained very clear was that some of the stolen data will haunt people forever.

Social Security numbers, birth dates, home address histories — you just can’t change those things, which led privacy researcher Sarah Jamie Lewis to quip on Twitter, “Don’t forget to change your name, date of birth, home address and Social Security number regularly.”

Don't forget to change your name, date of birth, home address and social security number regularly.

The Equifax breach stabbed millions of Americans in the gut because this was a company consumers rarely dealt with, let alone consciously shared details, such as annual incomes, automobile purchases and mailing addresses. But such data and untold more were potentially siphoned out of Equifax’s database months ago by cybercriminals.

While there’s outrage that Equifax failed to protect consumer data properly, the security industry and consumer advocates say that common data used to verify people are who they say they are — most notably the Social Security number — should never have been used in the first place.

“Things like your address, your birth date, your name. They’re not secrets. They were never meant to be secrets,” said Patrick Harding, chief technology officer at Ping Identity in Denver. “The fact that those together can be used to impersonate you, that’s wrong. We started in the wrong place.”

Social Security numbers were never intended to verify a person is who he says he is, according to the Social Security Administration’s history page. The unique number, created in 1936, was meant to track a person’s work history for Social Security benefits.

Of course, even the agency realized that the number has since become widely used because it is unique to an individual. Companies often ask for SSNs whether they need them or not. And Americans rarely flinch when asked to share the number to apply for a home loan, apartment lease, health insurance, credit card or a job.

“Generally, there are no restrictions in federal law precluding the use of the SSN by the private sector, so businesses may ask individuals for an SSN whenever they wish,” according to the agency.

“I warned Congress more than 25 years ago that it was a mistake to allow the Social Security number to be used as a general purpose identifier. And over the last 25 years, the United States has experienced a dramatic increase in identity theft and financial fraud, largely traced to the growing use of the SSN,” said Mark Rotenberg, president of the Electronic Privacy Information Center and an adjunct professor at Georgetown University law school. “They should have listened.”

In May, a data-privacy regulation will go into effect to embolden citizens in the European Union to find out what personal data a company has collected, ask who it has been shared with and then demand that it all be deleted. Companies that do business in the EU could be penalized up to 4 percent of global revenues. If the General Data Protection Regulation had been in effect, Equifax could have been fined up to $124 million based on its $3.1 billion in revenues since some affected consumers live in Europe.

“What we need to move to is a system where an individual can prove their identity to somebody, but to make it such that when you do, you’re not giving that party information to impersonate you,” said Steve Grobman, chief technology officer at security software firm McAfee Inc. “Is the tech there to do this? The short answer is yes. So why would we move to another, securer system for our credit cards faster than a system that would prove our identities?”

Grobman is referring to the move in 2015 by credit companies Visa and Mastercard forcing U.S. retailers to move to chip cards to cut down on counterfeit cards. The chip technology produces a unique code for each transaction so the actual card number isn’t shared. For added security, some banks also require a PIN code.

Technology exists to protect and verify identities. More secure solutions rely on multiple methods to prove a person’s identity. Denver cybersecurity firm Ping Identity offers multifactor authentication, which is a mix of unique passwords, geolocation, biometrics and verification on a second device such as a mobile phone.

“There is no silver bullet that I’m aware of, but there are alternatives to allow you to prove you are who you are,” said Harding. “There are applications emerging where to register, you type in information and use your iPhone to scan your driver’s license so they can match the two together with the photo on the screen. They can pull the data off the driver’s license.”

Facial recognition

Biometrics, including Apple’s new facial recognition for its iPhone X, doesn’t just rely on an image of a face. It uses infrared technology to scan 30,000 dots on your face and capture a 3-D image plus movement. Its older Touch ID technology, requiring a fingerprint to unlock the phone, looks underneath the top layer of skin to identify the nooks and crannies of the layer that can’t be seen. The data is also stored on an encrypted chip, rather than someone’s cloud, so it’s never shared with an outsider.

And there is behavioral biometrics, which goes beyond mere recognition of a body part, Harding said.

“A service can determine who you are based on the way you’re typing or the way you hold your phone. You can start to detect that this is Patrick holding the phone as opposed to someone else,” he said. “Combine that with facial recognition and geolocation, all of those things can be used together to determine who you are.”

Identity-theft complaints to the FTC declined in 2016, but at 399,225, it’s the second highest year since 2001.

Consumers should monitor their bank accounts. They can take Equifax up on its offer of free credit monitoring for one year. But that will only tell consumers when someone has applied for credit in their name. Others suggest a credit freeze, which prevents anyone — including the consumer — from getting approved for new credit. Consumers who set this up, however, would get a PIN in case they need to end the freeze temporarily.

“Sadly, the reliance on trivial discoverable information as part of securing loans as well as lack of information security investment has created a world where identity theft is common and preventing it is mostly out of your control,” said Lewis, who is based in Vancouver. “If your data hasn’t been stolen this time, there have been plenty of opportunities in the past and will be plenty in the future. So the best advice is to stay calm and be prepared.”

More in Technology

Doing business in Denver since late 2018, San Francisco-based marketing tech firm Iterable is taking part in its first Denver Startup Week. Not only is it an event sponsor, but it taking part in the startup crawl program, showing off its new office, and the Startup Week job fair Wednesday night.

Considering how vehicles bearing the businesses' distinctive black, pink and sometimes both logos seem to be everywhere in Denver these days, it's almost hard to believe ride-hailing services Lyft and Uber only got started in the Mile High City six years ago. The competitors both debuted in September 2013

It's a quiet, efficient way to get around the National Renewable Energy Laboratory campus The all-electric, self-driving shuttle that officially started ferrying people Monday is also the latest addition to NREL's "living lab ecosystem," where federal scientists team with other researchers and private businesses on advances in the energy and transportation.

The doorbell-camera company Ring has quietly forged video-sharing partnerships with more than 400 police forces across the United States, granting them potential access to homeowners’ camera footage and a powerful role in what the company calls the nation’s “new neighborhood watch.”